CyberWire Daily

Nomad cryptocurrency bridge is looted. The BlackCat ransomware gang hits a Luxembourgeois energy company. DSIRF disputes Microsoft's characterization of the Austrian firm as cyber mercenaries. Ben Yelin looks at privacy concerns in the education software market. Our guest is PJ Kirner from Illumio to discuss Zero Trust Segmentation. And, finally, are there spies under Mr. Putin’s very very long table? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/147 Selected reading. Crypto Firm Nomad Loses Nearly $200 Million in Bridge Hack (Bloomberg) Crypto Bridge Nomad Drained of Nearly $200M in Exploit (CoinDesk) Nomad token bridge drained of $190M in funds in security exploit (Cointelegraph) Nomad token bridge hacked in nearly $200 million exploit (mint) BlackCat ransomware gang hits Luxembourg energy supplier Creos (Computing) Luxembourg energy provider Encevo Group battles ransomware attack by BlackCat (Tech Monitor) BlackCat ransomware claims attack on European gas pipeline (BleepingComputer) Luxembourg energy companies struggling with alleged ransomware attack, data breach (The Record by Recorded Future) Austrian spy firm accused by Microsoft says hacking tool was for EU states (Reuters) Dilyana Gaytandzhieva: Putin’s Elite Inner Circle Infiltrated By Nato Informants (SouthFront) GEC Special Report: Pillars of Russia’s Disinformation and Propaganda Ecosystem (US Department of State) Learn more about your ad choices. Visit megaphone.fm/adchoices

KillNet threatens hack-and-leak op against HIMARS maker. Online investment scams hit Europe. Microsoft associates Raspberry Robin with EvilCorp. Rick Howard previews season ten of the CSO Perspectives podcast. Our guest is Nate Kharrl of SpecTrust on deploying fraud detection at the gateway. And a heartfelt farewell to a woman who’s inspiration lives on. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/146 Selected reading. Cyberactivist Group Killnet Declares War on Lockheed Martin (Sputnik) Russian Hackers Target U.S. HIMARS Maker in 'New Type of Attack': Report (Newsweek) Founder of pro-Russian hacktivist Killnet quitting group (SC Magazine) Huge network of 11,000 fake investment sites targets Europe (BleepingComputer) Microsoft links Raspberry Robin malware to Evil Corp attacks (BleepingComputer) Microsoft ties novel ‘Raspberry Robin’ malware to Evil Corp cybercrime syndicate (The Record by Recorded Future) FakeUpdates malware delivered via Raspberry Robin has possible ties to EvilCorp (SC Magazine) Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself (Microsoft Security) Australia charges dev of Imminent Monitor RAT used by domestic abusers (BleepingComputer) Brisbane teenager built spyware used by domestic violence perpetrators across world, police allege (the Guardian) Learn more about your ad choices. Visit megaphone.fm/adchoices

Larry Cashdollar, Principal Security Intelligence Response Engineer at Akamai Technologies, sits down with Dave Bittner to discuss his life leading up to working at Akamai. He shares his story from his beginnings to now, describing what college life was like as a young computer enthusiast. He says "If you look at my 1986 yearbook, I think it was my sixth grade class, it says computer scientist for my career path. So I had a love of computers when I was really young. I guess I knew what field I wanted to get into right off the bat." He describes different career paths that all led him to his current position. He also shares his love for computers and technology through the decades of his youth, and how he is learning, even now. We thank Larry for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Israel Barak, CISO from Cybereason, sits down with Dave to discuss their research, "Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation." Cybereason researchers recently found an attack lurking beneath the surface which was assessed to be the work of Chinese APT Winnti. Cybereason briefed the FBI and the DOJ on the investigation into the malicious campaign. The research states, "For years, the campaign had operated undetected, siphoning intellectual property and sensitive data." The team quickly made two reports on the campaign, one sharing an examination on the tactics and techniques. The second gives a detailed analysis of the malware and exploits used. The research can be found here: Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation Learn more about your ad choices. Visit megaphone.fm/adchoices

Anonymous's hacktivism in a hybrid war. Pyongyang's [un]H0lyGh0st. Phishing in the IPFS. Update on the initial access criminal-to-criminal market and its effect on MSPs. Cyber gangs move away from malicious macros. Thomas Etheridge from CrowdStrike on managed detection and response. Rick Howard sits down with Art Poghosyan from Britive to discuss DevSecOps and Identity Management. And Rewards for Justice seeks some righteous snitches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/145 Selected reading. Putin 'embarrassed' as hackers launch cyber war on Russian President over Ukraine invasion (Express.co.uk) Is Anonymous Rewriting the Rules of Cyberwarfare? Timeline of Their Attacks Against the Russian Government (Website Planet) HolyGhost’s Bargain Basement Approach To Ransomware (Digital Shadows) IPFS: The New Hotbed of Phishing (Trustwave) Threat Advisory: Hackers Are Selling Access to MSPs (Huntress) We’re currently monitoring a situation that entails a hacker selling access to an MSP with access to 50+ customers, totaling 1,000+ servers. Experts warn of hacker claiming access to 50 U.S. companies through breached MSP (The Record by Recorded Future) How Threat Actors Are Adapting to a Post-Macro World (Proofpoint) Rewards for Justice – Reward Offer for Information on Russian Interference in U.S. Elections (United States Department of State) Learn more about your ad choices. Visit megaphone.fm/adchoices

SSSCIP and CISA sign a memorandum of cooperation. Are private-sector offensive actors tailored security services, or are they just hired guns? Bringing cyber mercenaries to heel. Malek Ben Salem from Accenture on why crisis management is at the heart of ransomware resilience. Our guest is Derek Manky from Fortinet on the World Economic Forum Partnership Against Cybercrime. And more credential-harvesting scams are out in the wild. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/144 Selected reading. United States and Ukraine Expand Cooperation on Cybersecurity (CISA) US, Ukraine sign pact to expand cooperation in cyberspace (The Hill) Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits (Microsoft Security) Continuing the fight against private sector cyberweapons (Microsoft On the Issues) Experts Urge Congress to Pressure Commercial Spyware Vendors (Decipher) Mirroring Actual Landing Pages for Convincing Credential Harvesting (Avanan) Learn more about your ad choices. Visit megaphone.fm/adchoices

IBM reports on the cost of a data breach. Personal apps as a potential business risk. Over on the dark side, there’s help wanted in the C2C labor market. An employee engagement study reaches predictably glum conclusions. Betsy Carmelite from Booz Allen Hamilton on reducing software supply chain risks with SBOMs. Our guest is Elaine Lee from Mimecast discussing the pros and cons of AI in cybersecurity. And Why so much attempted DDoS, but not so much ransomware? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/143 Selected reading. IBM Report: Consumers Pay the Price as Data Breach Costs Reach All-Time High (IBM Newsroom) Cost of a Data Breach Report 2022 (IBM Security) Netskope Threat Research: Data Sprawl Creating Risk for Organizations Worldwide as Personal App Use in Business Continues to Rise (PR Newswire) Financial Incentives May Explain the Perceived Lack of Ransomware in Russia’s Latest Assault on Ukraine (Council on Foreign Relations) Tessian | 1 in 3 Employees Do Not Understand the Importance of Cybersecurity at Work, According to New Report (RealWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

LockBit gets an upgrade. CosmicStrand firmware rootkit is out in a new and improved version. Are thieves being treated like white hats? AV-Test's Twitter account is hijacked. Joe Carrigan considers the mental health effects of the online scam economy. Mr. Security Answer Person John Pescatore ponders the cybersecurity talent gap. And ongoing speculation on the cyber phase of the hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/142 Selected reading. LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities (Trend Micro) CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit (Securelist) Crypto Firms Make Thieving Hackers an Offer: Keep a Little, Give Back the Rest (Wall Street Journal) Phishers’ Favorites Top 25, H1 2022: Microsoft Is the Most Impersonated Brand in Phishing Attacks (Vade Secure) Testing times for AV-Test as Twitter account hijacked by NFT spammers (Graham Cluley) Ukraine fall-out and new ransomware tactics elevate cyber risks (Strategic Risk Europe) Ed’s note: The Ukrainian-Russian cyber war no one speaks about (Smart Energy) Learn more about your ad choices. Visit megaphone.fm/adchoices

The minor mystery of GPS-jamming. Twitter investigates an apparent data breach. Ransomware command and control staging is discovered. Andrea Little Limbago from Interos looks at the intersection of social sciences and cyber. Our guest is Nelly Porter from Google Cloud on the emerging idea of confidential computing. A C2C offering restricted to potential privateers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/141 Selected reading. Why Isn’t Russia jamming GPS harder in Ukraine? (C4ISRNet) Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k (9to5Mac) Twitter investigating authenticity of 5.4 million accounts for sale on hacking forum (The Record by Recorded Future) Russian Ransomware C2 Network Discovered in Censys Data (Censys) Researcher finds Russia-based ransomware network with foothold in U.S. (The Record by Recorded Future) New Cross-Platform 'Luna' Ransomware Only Offered to Russian Affiliates (SecurityWeek) Learn more about your ad choices. Visit megaphone.fm/adchoices

Mary Writz, Vice President of Product Strategy at ForgeRock, shares how each career path she has taken has led her to where she is now. Mary describes how she has been a woman working in a male dominated field for most of her career and how she had to take charge, and she had to get the men to take charge with her. She says "I was often leading people, mostly men older than me, potentially smarter than me, more well paid than me. So I had to learn how to think about galvanizing this group to charge forward with me, even though I was a bit of a minority in that way." She also states that she tells herself to always make a positive out of a negative by showing people how you can respond to what's happening with a lot of energy, focus, and care and that's what got her to where she is today. Learn more about your ad choices. Visit megaphone.fm/adchoices

Shifting left has been a buzzword in the application security space for several years now, and with good reason – making security an integral part of development is the only practical approach for modern agile workflows. But in their drive to build security testing into development as early as possible, many organizations are neglecting application security in later phases and losing sight of the big picture. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, talks with two Hash Table members, Centene’s VP and CISO for Healthcare Enterprises, Rick Doten, and Akamai’s Advisory CISO, Steve Winterfeld. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Invicti’s Chief Product Officer, Sonali Shah. They discuss the challenges and misunderstandings around shifting left, and provide tips on how organizations can implement web application security program without tradeoffs throughout the whole application security lifecycle. Learn more about your ad choices. Visit megaphone.fm/adchoices

Rob Pantazopoulos from Secureworks, joins Dave to discuss their work on "REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence." Secureworks researchers published a new analysis on what can be considered the ‘first’ set of ransomware samples associated with the reemergence. These updated samples indicate that GOLD SOUTHFIELD has resumed operations. The research states "The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development." Researchers identified two samples, one in October of 2021, and the other in March of 2022. The March sample has modifications that lead researchers to distinguish the two samples from one another. The research can be found here: REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence Learn more about your ad choices. Visit megaphone.fm/adchoices

Traditional espionage and counterespionage during the hybrid war. Assessing Russian cyberattacks. Conti's fate and effects. Investigating cut Internet cables in France. My conversation with AD Bryan Vorndran of the FBI Cyber Division on reverse webshell operation and Hafnium. Our guest is Tom Kellermann of VMware to discuss the findings of their Modern Bank Heists report. And, finally the dark online world of “pig-butchering.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/140 Selected reading. UK Spy Chief Sees Russia’s Military Running ‘Out of Steam’ Soon (Bloomberg) Exhausted Russian army gives Ukraine chance to strike back, says British spy chief (The Telegraph) 'Cut by half' Putin's masterplan backfires as 400 Russian spies thrown out of Europe (Express) Half of Russian spies in Europe expelled since Ukraine invasion, says MI6 chief (the Guardian) MI6 chief: Russia’s spies ‘not having a great war’ in Ukraine (The Record by Recorded Future) CIA chief says 15,000 Russians killed in war, dismisses Putin health rumors (Washington Post) CIA Chief Says Russia’s Iran Drone Deal Shows Military Weakness (Bloomberg) Ukraine confronts Kremlin infiltration threat at unreformed state bodies (Atlantic Council) US seeking to understand Russia’s failure to project cyber power in Ukraine (Defense News) Battling Moscow's hackers prior to invasion gave Kyiv 'full dress rehearsal' for today's cyber warfare (CyberScoop) How Conti ransomware hacked and encrypted the Costa Rican government (BleepingComputer) Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion (AdvIntel) Conti Criminals Resurface as Splinter RaaS Groups (Security Boulevard) The Unsolved Mystery Attack on Internet Cables in Paris (Wired) Massive Losses Define Epidemic of ‘Pig Butchering’ (KrebsOnSecurity) Learn more about your ad choices. Visit megaphone.fm/adchoices

A criminal talent broker emerges. Developing threats to financial institutions. Phishing through PayPal. Lessons to be learned from LAPSUS$, post-flameout. More spearphishing of Ukrainian targets. US Cyber Command releases IOCs obtained from Ukrainian networks. Johannes Ullrich from SANS on the value of keeping technology simple. Our guests are Carla Plummer and Akilah Tunsill from the organization Black Girls in Cyber. And not really honor, but honor’s self-interested first cousin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/139 Selected reading. Atlas Intelligence Group (A.I.G) – The Wrath of a Titan (Cyberint) 'AIG' Threat Group Launches With Unique Business Model (Dark Reading) Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities (Proofpoint) Sending Phishing Emails From PayPal (Avanan) Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group (Tenable®) Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities (Mandiant) Cyber National Mission Force discloses IOCs from Ukrainian networks (U.S. Cyber Command) The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back (HP Wolf Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

What’s Russia up to in cyberspace, nowadays? Belgium accuses China of cyberespionage. LockBit ransomware spreading through compromised servers. Malek Ben Salem from Accenture explains the Privacy Enhancing Technologies of Federated Learning with Differential Privacy guarantees. Rick Howard speaks with Rob Gurzeev from Cycognito on Data Exploitation. And Micodus GPS tracker vulnerabilities should motivate the user to turn the thing off. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/138 Selected reading. Continued cyber activity in Eastern Europe observed by TAG (Google) Declaration by the High Representative on behalf of the European Union on malicious cyber activities conducted by hackers and hacker groups in the context of Russia’s aggression against Ukraine (European Council) China: Declaration by the Minister for Foreign Affairs on behalf of the Belgian Government urging Chinese authorities to take action against malicious cyber activities undertaken by Chinese actors (Federal Public Service Foreign Affairs) Déclaration du porte-parole de l'Ambassade de Chine en Belgique au sujet de la déclaration du gouvernement belge sur les cyberattaques (Embassy of the People's Republic of China in the Kingdom of Belgium) LockBit: Ransomware Puts Servers in the Crosshairs (Broadcom Software Blogs | Threat Intelligence) Critical Vulnerabilities Discovered in Popular Automotive GPS Tracking Device (MiCODUS MV720) (BitSight) CISA released Security Advisory on MiCODUS MV720 Global Positioning System (GPS) Tracker (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

A Cozy Bear sighting. Shaking up Ukraine's intelligence services. Albania's national IT networks continue to work toward recovery. US Justice Department seizes $500k from DPRK threat actors. The FBI warns of apps designed to defraud cryptocurrency speculators. A White House meeting today addresses the cyber workforce. Ben Yelin looks at our right to record police. Our guest is Tim Knudsen, Director of Product Management for Zero Trust at Google Cloud, speaking with Rick Howard. And another trend we’d like to be included out of. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/137 Selected reading. Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive (Unit 42) Russian hacking unit Cozy Bear adds Google Drive to its arsenal, researchers say (CyberScoop) Russian SVR hackers use Google Drive, Dropbox to evade detection (BleepingComputer) Ukraine’s spy problem runs deeper than Volodymyr Zelensky’s childhood friend (The Telegraph) Albanian government websites go dark after cyberattack (Register) On Google Play, Joker, Facestealer, & Coper Banking Malware (Zscaler) Justice Department seizes $500K from North Korean hackers who targeted US medical organizations (CNN) Cyber Criminals Create Fraudulent Cryptocurrency Investment Applications to Defraud US Investors (US Federal Bureau of Investigation) Announcement of White House National Cyber Workforce and Education Summit | The White House (The White House) Fortinet Announces Free Training Offering for Schools at White House Cyber Workforce and Education Summit (Fortinet) Not your average side hustle: the women making thousands from 'pay pigs' who enjoy being financially dominated (Business Insider) Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukraine shakes up its security and prosecutorial services. Cyberattacks hit Albania. Advanced persistent threat actors prospect journalists. The GRU is said to be trolling researchers who look into Sandworm. Thomas Etheridge from CrowdStrike on identity management. Our guest is Robin Bell from Egress discussing their Human Activated Risk Report. And CISA opens a liaison office in London. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/136 Selected reading. Ukraine's Zelenskyy fires top security chief and prosecutor (AP NEWS) Zelenskiy Ousts Ukraine’s Security Chief and Top Prosecutor (Bloomberg) Volodymyr Zelensky sacks top aides over 'Russian collaboration' (The Telegraph) A massive cyberattack hit Albania (Security Affairs) Information Systems Are Intact, Says Albanian Government after Cyber Attack (Exit - Explaining Albania) Albania closes down online gov't systems after cyber attack (ANI News). Albania Shuts Down Digital Services and Government Websites after Cyber Attack (Exit - Explaining Albania) Hackers pose as journalists to breach news media org’s networks (BleepingComputer) Cybersecurity Firm: What US Journalists Need To Know About The Foreign Hackers Targeting Them Forbes) Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine (Dark Reading) Learn more about your ad choices. Visit megaphone.fm/adchoices

Mike Arrowsmith, Chief Trust Officer at NinjaOne, leads the organization’s IT, security, and support infrastructure to ensure they meet customers’ security and data privacy demands as it scales. Mike discusses how his career path has led him to the position he currently holds and how exciting the world of cybersecurity can be. He mentioned how he mentored students in college thinking of going into the field, and he used a metaphor to help describe the industry, saying "We are working against adversaries that are always typically one step ahead. Figuratively, if you could imagine, you're trying to chase a ball, but you never can quite get your hands on it." He shares how he loves the evolving field and that he thrives in a situation where things are constantly changing. We thank Mike for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

On this episode of CyberWire-X, we examine double extortion ransomware. The large-scale cyber events of yesterday – Stuxnet, the Ukraine Power Grid Attack – were primarily focused on disruption. Cybercriminals soon shifted to ransomware with disruption still the key focus – and then took things to the next level with Double Extortion Ransomware. When ransomware first started to take off as the attack method of choice around 2015, the hacker playbook was focused on encrypting data, requesting payment and then handing over the encryption keys. Their methods escalated with Double Extortion, stealing data as well as encrypting it - and threatening to leak data if they don’t receive payment. We’ve seen with ransomware groups like Maze that they will follow through with publishing private information if not paid. In the first part of the show, Rick Howard, the CyberWire’s CSO, Chief Analyst, and Senior Fellow, talks with Wayne Moore, Simply Business' CISO and CyberWire Hash Table member, and, in the second half of the show, the CyberWire's podcast host Dave Bittner talks with Nathan Hunstad, episode sponsor Code42’s Deputy CISO. They discuss how classic ransomware protection such as offsite backups are no longer enough. They explain that Double Extortion means that you need to understand what data has been stolen and weigh the cost of paying with the cost of your data going public. Learn more about your ad choices. Visit megaphone.fm/adchoices

Chad Seaman, Team Lead at Akamai SIRT joins Dave to discuss their research about a record-breaking DDoS Attack. The research says "A new reflection/amplification distributed denial-of-service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks." Starting in mid-February 2022, security researchers, network operators, and security vendors noticed a spike in DDoS attacks. Researchers started to investigate the spike and determined that the devices that were being abused to launch these attacks are MiCollab and MiVoice Business Express collaboration systems. The research goes into how you can help mitigate the attacks and how Mitel has now released patched software. The research can be found here: CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector Learn more about your ad choices. Visit megaphone.fm/adchoices

Gangland goes to war. Is there a "cyber world war" in progress? Ukraine thinks so. A new North Korean ransomware operation is described, but it’s not yet clear if it’s a state operation or some moonlighting by Pyongyang’s operators. Media organizations remain attractive targets for state actors. NSA releases guidance on characterizing threats and risks to microelectronics. Betsy Carmelite from Booz Allen talks about why now is the time to plan for post-quantum cryptography. Our guest is Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly discussing her time at CISA and the work of her team. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/135 Selected reading. Inside The Russian Cybergang Thought To Be Attacking Ukraine—The Trickbot Leaks (Forbes) Who is Trickbot? (Cyjax) Who is Trickbot? (Cyjax) NATO and the European Union work together to counter cyber threats (NATO) The Man at the Center of the New Cyber World War (POLITICO) Russian cyber threat to Canada worse than previously reported: CSE (National Post) North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware (Microsoft Security) Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media (Proofpoint) NSA Publishes Guidance on Characterizing Threats, Risks to DoD Microelectronics (National Security Agency/Central Security Service) Learn more about your ad choices. Visit megaphone.fm/adchoices

In this extended interview, CyberWire Daily Podcast host Dave Bittner sits down with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly to discuss her time at CISA and the work of her team. This interview from July 15, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. Learn more about your ad choices. Visit megaphone.fm/adchoices

An overview of the cyber phase of Russia's hybrid war. Smartphones as sources of targeting information. Lilith enters the ransomware game. ChromeLoader makes a fresh appearance. Honda acknowledges that Rolling-PWN is real (but says it's not as serious as some think). Part two of Carole Theriault’s conversation with Jen Caltrider from Mozilla's Privacy Not Included initiative. Our guest is Josh Yavor of Tessian to discuss Accidental Data Loss Over Email. A guilty verdict in the Vault 7 case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/134 Selected reading. Ukraine's Cyber Agency Reports Q2 Cyber-Attack Surge (Infosecurity Magazine) 2022 Q2 (SSSCIP) The weaponizing of smartphone location data on the battlefield (Help Net Security) New Lilith ransomware emerges with extortion site, lists first victim (BleepingComputer) A new ransomware operation has been launched under the name 'Lilith,' and it has already posted its first victim on a data leak site created to support double-extortion attacks. New Ransomware Groups on the Rise (Cyble) Cyble analyzes new ransomware families spotted in the wild led by notable examples such as LILITH, RedAlert, and 0Mega. New Lilith ransomware emerges with extortion site, lists first victim (BleepingComputer) New Ransomware Groups on the Rise (Cyble) Researchers Uncover New Variants of the ChromeLoader Browser Hijacking Malware (The Hacker News) ChromeLoader: New Stubborn Malware Campaign (Unit 42) Honda Admits Hackers Could Unlock Car Doors, Start Engines (SecurityWeek) Honda redesigning latest vehicles to address key fob vulnerabilities (The Record by Recorded Future) Statement Of U.S. Attorney Damian Williams On The Espionage Conviction Of Ex-CIA Programmer Joshua Adam Schulte (US Department of Justice) Ex-C.I.A. Engineer Convicted in Biggest Theft Ever of Agency Secrets (New York Times) Former CIA Staffer Convicted For Massive Data Breach To WikiLeaks (Forbes) Learn more about your ad choices. Visit megaphone.fm/adchoices

Adversary-in-the-middle sites support business email compromise. Silent validation carding bot discovered. Attempted social engineering at the European Central Bank. Germany puts its shields up. Carole Theriault speaks with Jen Caltrider about Mozilla's *Privacy Not Included initiative. Our guest is Lucia Milica on Proofpoint’s Voice of the CISO report. And Hacktivism in a hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/133 Selected reading. From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud (Microsoft Security Blog) PerimeterX Discovers New Silent Validation Carding Bot (PerimeterX) Hackers posing as Merkel target ECB's Lagarde - German source (Reuters) European Central Bank head targeted in hacking attempt (AP NEWS) Cyberangriff auf Spitzenpolitiker: Hacker nutzten Merkels Handynummer, um das Whatsapp-Konto von Lagarde zu knacken (Business Insider) Germany bolsters defenses against Russian cyber threats (Deutsche Welle) Ukraine's cyber army hits Russian cinemas (CyberNews) DDoS attacks surge in popularity in Ukraine — but are they more than a cheap thrill? (The Record by Recorded Future) Microsoft Releases July 2022 Security Updates (CISA) CISA orders agencies to patch new Windows zero-day used in attacks (BleepingComputer) SAP Releases July 2022 Security Updates (CISA) Schneider Electric Easergy P5 and P3 (CISA) Dahua ASI7213X-T1 (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

High-end and low-end extortion. Vehicles from Honda may soon be rolling off the lot. Social media and open-source intelligence. Russian cyberattacks spread internationally. Joe Carrigan surveys items for sale in dark web markets. Our guest is Jonathan Wilson of AU10TIX to discuss consumer sentiment around data privacy. Preparing for cyber combat. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/132 Selected reading. BlackCat (Aka ALPHV) Ransomware Is Increasing Stakes Up To $2,5M In Demands (Resecurity) Ransomware gang now lets you search their stolen data (BleepingComputer) Luna Moth: The Actors Behind the Recent False Subscription Scams (Sygnia) 'Luna Moth' Group Ransoms Data Without the Ransomware (Dark Reading) Hackers can unlock Honda cars remotely in Rolling-PWN attacks (BleepingComputer) Hackers Say They Can Unlock and Start Honda Cars Remotely (Vice) Rolling PWN (PWN) Russia launches attack on Poland as hackers declare war on 10 countries, including UK (Express) Vice Minister: cyber attacks are aimed at seeking publicity and raising tensions (DELFI) How one Ukrainian ethical hacker is training 'cyber warriors' in the fight against Russia (The Record by Recorded Future) The Biggest Threat to the Military May Not Be What You Think (ClearanceJobs) Learn more about your ad choices. Visit megaphone.fm/adchoices

More deniable DDoS attacks strike countries friendly to Ukraine. Predatory Sparrow's assault on Iran's steel industry. A callback phishing campaign impersonates security companies. The Anubis Network is back. Thomas Etheridge from CrowdStrike on the importance of outside threat hunting. Rick Howard weighs in on sentient AI. And a ransomware gang ups the ante. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/131 Selected reading. Pro-Russian cybercriminals briefly DDoS Congress.gov (CyberScoop) Lithuania's state-owned energy group hit by 'biggest cyber attack in a decade' (lrt.lt) Ignitis Group hit by DDoS attack as Killnet continues Lithuania campaign (Tech Monitor) Russian ‘Hacktivists’ Are Causing Trouble Far Beyond Ukraine (Wired - 07-11-2022) Predatory Sparrow: Who are the hackers who say they started a fire in Iran? (BBC News) Hacktivists claiming attack on Iranian steel facilities dump tranche of 'top secret documents' (CyberScoop) Callback Phishing Campaigns Impersonate CrowdStrike, Other Cybersecurity Companies (CrowdStrike) Anubis Networks is back with new C2 server (Security Affairs) BlackCat (aka ALPHV) ransomware is increasing stakes up to $2.5 million in demands(Help Net Security) Resecurity - BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands (Resecurity) Learn more about your ad choices. Visit megaphone.fm/adchoices

Simone Petrella, CEO of cybersecurity training workforce firm CyberVista, spent her career in the Department of Defense as a threat intelligence analyst before founding CyberVista. She says that running a company has a new set of challenges each day thrown at you. She explains that the way she finds the most success is by letting her team contribute to each matter, and having a say in the decisions made as they pertain to each department. Simone says "I would say is I am a firm firm believer in the idea of empowering people to really own and kind of run with the things that they're passionate about." She notes that people will do amazing things when they are passionate and that faking it until you make it is true, because you will get where you're going by having that passion and that inspiration. We thank Simone for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Alden Wahlstrom, senior analyst on Mandiant's Information Operations Team, shares a comprehensive overview and analysis of the various information operations activities they’ve seen while responding to the Russian invasion. While the full extent of the Russia-Ukraine war has yet to come to light, more than two months after the start of the invasion, Mandiant has identified activity that they believed to be information operations campaigns conducted by actors possibly in support of the political interests of nation-states such as Russia, Belarus, China, and Iran. The research shares a chart with all of the known information operations events that have taken place so far dating back to January of 2022. It also states that following the beginning of the Russian attack they have seen concerning signs, including "incidents involving the deployment of wiper malware disguised as ransomware." The research can be found here: The IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine Learn more about your ad choices. Visit megaphone.fm/adchoices

An update on cyber operations in the hybrid war. NPM compromise updates. Free decryptors for AstraLocker and Yashma ransomware. Johannes Ullrich from SANS on attacks against Perimeter Security Devices. Our guest is Sonali Shah from Invicti Security with a look at DevSecOps anxiety. And who’s the villain who hijacked the Instagram account of Disneyland? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/130 Selected reading. Russia-Ukraine war: List of key events, day 135 (Al Jazeera) Russia-Ukraine war: Putin warns Moscow has 'barely started' its campaign (The Telegraph) Russian Cybercrime Trickbot Group is systematically attacking Ukraine (Security Affairs) US finance sector encouraged to stay vigilant against retaliatory Russian cyberattacks (SC Magazine) Someone may be prepping an NPM crypto-mining spree (Register) ICS CERT Advisories (CISA) Free decryptor released for AstraLocker, Yashma ransomware victims (BleepingComputer) Disneyland’s Instagram Account Hacked With a Series of Profane, Racist Posts (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices

The FBI and MI-5 warn of Chinese industrial espionage. Revelations of Trickbot's privateering role. Russian influence operations target France, Germany, Poland, and Turkey. Chinese APTs target Russian organizations in a cyberespionage effort. Robert M. Lee from Dragos on CISA expanding the Joint Cyber Defense Collaborative. Ben Yelin speaks with Matt Kent from Public Citizen about the American Innovation and Online Choice Act. And who would guess it, but NFT scams are pestering Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/129 Selected reading. Heads of FBI, MI5 Issue Joint Warning on Chinese Spying (Wall Street Journal) FBI and MI5 leaders give unprecedented joint warning on Chinese spying (the Guardian) FBI and MI5 bosses: China cheats and steals at massive scale (Register) FBI director suggests China bracing for sanctions if it invades Taiwan (Washington Post) Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine (Security Intelligence) Trickbot may be carrying water for Russia (Washington Post) Russia Info Ops Home In on Perceived Weak Links (VOA) Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs (SentinelOne) Chinese hackers targeting Russian government, telecoms: report (The Record by Recorded Future) Near-undetectable malware linked to Russia's Cozy Bear (Register) Russia's Cozy Bear linked to nearly undetectable malware (Computing) When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors (Unit 42) NFT scammers see an opportunity in Ukraine donations (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices

The FBI, CISA, and the Department of the Treasury are releasing this joint Cybersecurity Advisory to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health Sector organizations. AA22-187A Alert, Technical Details, and Mitigations Stairwell Threat Report: Maui Ransomware North Korea Cyber Threat Overview and Advisories Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments National Conference of State Legislatures: Security Breach Notification Laws Health Breach Notification Rule Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches StopRansomware.gov CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

Quantum computing and security standards. Notes on the cyber phases of a hybrid war, and how depressingly conventional cybercrime persists in wartime. Pyongyang operators are using Maui ransomware against healthcare targets. Malek Ben Salem from Accenture looks at the security risks of GPS. Our guest is Brian Kenyon of Island to discuss enterprise browser security. Shanghai's big data exposure. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/128 Selected reading. NIST Announces First Four Quantum-Resistant Cryptographic Algorithms (NIST) Winners of NIST's post-quantum cryptography competition announced (Computing) NIST unveils four algorithms that will underpin new 'quantum-proof' cryptography standards (SC magazine) NIST Identifies 4 Quantum-Resistant Encryption Algorithms (Nextgov.com) Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats (CISA) Quantum-resistant encryption recommended for standardization (Register) Keeping Phones Running in Wartime Pushes Kyivstar to the Limit (Bloomberg) The Ukraine war could provide a cyberwarfare manual for Chinese generals eyeing Taiwan (CyberScoop) Ukrainian police takes down phishing gang behind payments scam (ZDNet) Cyber Police of Ukraine arrested 9 men behind phishing attacks on Ukrainians attempting to capitalize on the ongoing conflict (Security Affairs) North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector (CISA) Reports (Moody’s) Clarion Housing ‘cyber incident’ affects thousands of tenants (Cambs Times) In a big potential breach, a hacker offers to sell a Chinese police database. (New York Times) Nearly one billion people in China had their personal data leaked, and it's been online for more than a year (CNN) China data breach likely to fuel identity fraud, smishing attacks (ZDNet) China Tries to Censor What Could Be Biggest Data Hack in History (Gizmodo) Here are four big questions about the massive Shanghai police leak (Washington Post) Shanghai Data Breach Exposes Dangers of China’s Trove (Bloomberg) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cyberattack hits a Ukrainian energy provider. NCSC updates its guidance on preparing for a long-term Russian cyber campaign. Royal Army accounts are hijacked. A hacktivist group claims to have hit Iranian sites. A very very large database of PII is for sale on the dark web. Chase Snyder from ExtraHop has a look back at WannaCry, 5 years on. Ben Yelin examines the constitutionality of keyword search warrants. And a rogue employee makes off with bug reports. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/127 Selected reading. Russian hackers allegedly target Ukraine's biggest private energy firm (CNN) Proruskí hackeri opäť útočili. Ďalšia významná spoločnosť hlási, že čelila kybernetickým útokom (Vosveteit.sk) Preparing for the long haul: the cyber threat from Russia (NCSC) Official British Army Twitter and YouTube accounts hijacked by NFT scammers (Hot for Security) British army confirms breach of its Twitter and YouTube accounts (the Guardian) British Army hit by cyberattack as Twitter and YouTube accounts hacked (The Telegraph) Iranians' Remote Access to Banking Services Cut Off Over 'Cyber Attacks' (IranWire) (Video) Iranian regime’s Islamic Culture and Communications Organization targeted in massive cyber offensive (EIN News) Hackers Claim Theft of Police Info in China’s Largest Data Leak (Bloomberg) Hacker Selling Shanghai Police Database with Billions of Chinese Citizens Data (HackRead) Giant data breach? Leaked personal data of one billion people has been spotted for sale on the dark web (ZDNet) Hacker claims to have stolen 1 bln records of Chinese citizens from police (Reuters) HackerOne disclosed on HackerOne: June 2022 Incident Report (HackerOne) HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains (The Hacker News) Rogue HackerOne employee steals bug reports to sell on the side (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode, Marc and Patrick Morley, former CEO of Carbon Black, get nostalgic as they discuss Patrick's journey of coming up through the start up scene in the 90s—from working with VCs to taking companies public—and compare it to running cyber companies today. Along with the early career experience that helped form Patrick's leadership philosophy, he shares his experience of becoming CEO of Bit9, seeing the company through a breach, acquiring Carbon Black, bring the company public and later getting acquired by VMWare—this episode is filled to the brim. You'll also learn about: How build a criteria for joining a start up Why cyber is the most mission-driven area of tech What it's like to call 600 customers in 2 days after a breach and not lose a single one Seven philosophies for running a cyber company Learn more about your ad choices. Visit megaphone.fm/adchoices

Larry Cashdollar from Akamai, joins Dave to discuss their research on a DDoS campaign claiming to be REvil. The research shares that Akamai's team was notified last week of an attack on one of their hospitality customers that they called "Layer 7" by a group claiming to be associated with REvil. In the research, they dive into the attack, as well as comparing it to other similar attacks that have been made by the group. The research states "The attacks so far target a site by sending a wave of HTTP/2 GET requests with some cache-busting techniques to overwhelm the website." It also stated that this is a smaller attack than they have seen by the group before, and notes that there seems to be more of a political agenda behind the attack, whereas in the past, REvil has been less political. The research can be found here: REvil Resurgence? Or a Copycat? Learn more about your ad choices. Visit megaphone.fm/adchoices

An update on the DDoS attack against Norway. NATO's resolutions on cyber security. North Korea seems to be behind the Harmony cryptocurrency heist. MedusaLocker warninga. Microsoft sees improvements in a gang's technique. Google blocks underworld domains. The Israeli-Iranian conflict in cyberspace. Chris Novak from Verizon with his take on this year’s DBIR. Our guest is Jason Clark of Netskope on the dynamic challenges of a remote workforce.And Now among the FBI’s Ten Most Wanted: one Crypto Queen. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/126 Selected reading. Pro-Russian hackers launched a massive DDoS attack against Norway (Security Affairs) NATO establishes program to coordinate rapid response to cyberattacks (POLITICO) NATO to create cyber rapid response force, increase cyber defense aid to Ukraine (CyberScoop) FACT SHEET: The 2022 NATO Summit in Madrid | The White House (The White House) North Korean Lazarus hackers linked to Harmony bridge thef (TechCrunch) North Korea Suspected of Plundering Crypto to Fund Weapons Programs (Wall Street Journal) Crypto crash threatens North Korea's stolen funds as it ramps up weapons tests (Reuters) CISA Alert AA22-181A – #StopRansomware: MedusaLocker. (CISA Cybersecurity Alerts with the CyberWire) #StopRansomware: MedusaLocker (CISA) Microsoft warning: This malware that targets Linux just got a big update (ZDNet) Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers (The Hacker News) Google blocked dozens of domains used by hack-for-hire groups (BleepingComputer) Countering hack-for-hire groups (Google) Gantz orders probe after TV reports hint IDF behind Iran steel plant cyberattack (Times of Israel) Proofpoint: Zionist covert operation? (PressTV) Zionist intelligence company cyberattacked by Iraqi hackers (Mehr) FBI Offers $100,000 Reward for Capture of Ten Most Wanted Fugitive ‘Cryptoqueen’ (FBI) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA, the FBI, the Department of the Treasury, and the Financial Crimes Enforcement Network are releasing this alert to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol to access victims’ networks. AA22-181A Alert, Technical Details, and Mitigations Stop Ransomware CISA Ransomware Guide CISA No-cost Ransomware Services All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

Killnet hits Norwegian websites. Hacktivists are tied to Russia's government. Amunet as a case study in C2C market differentiation. C2C commodification extends to script kiddies. Andrea Little Limbago from Interos examines borderless data. Rick Howard speaks with Cody Chamberlain from NetSPI on Breach Communication. Roscosmos publishes locations of Western defense facilities…and subsequently says it sustained a DDoS attack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/125 Selected reading. Pro-Russian hacker group says it attacked Norway (The Independent Barents Observer) Cyberattack hits Norway, pro-Russian hacker group fingered (AP NEWS) Norway blames "pro-Russian group" for cyber attack (Reuters) Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists’ (Bloomberg) Market Differentiation: Cybercriminal Forums’ Unusual Features Designed To Attract Users (Digital Shadows) Minors Use Discord Servers to Earn Extra Pocket Money Through Spreading Malware (PR Newswire) Russia publishes Pentagon coordinates, says Western satellites 'work for our enemy' (Reuters) Russian Space Agency Targeted in Cyberattack (Wall Street Journal) Cyberattack hits Russian space agency site after sharing NATO photos (Jerusalem Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

NATO's response to Killnet's cyberattacks on Lithuania. Influence operations in the interest of national market share. SOHO routers are under attack. YTStealer is out and active in the wild. RansomHouse hits AMD. CISA releases six ICS security advisories. The most dangerous software weaknesses. Betsy Carmelite from Booz Allen Hamilton takes a look back at Biden’s executive order on cyber. Our guest is Philippe Humeau of CrowdSec on taking a collaborative approach to security. And a guilty plea in the case of the NetWalker affiliate. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/124 Selected reading. Could the Russian cyber attack on Lithuania draw a military response from NATO? (Sky News) Pro-PRC DRAGONBRIDGE Influence Campaign Targets Rare Earths Mining Companies in Attempt to Thwart Rivalry to PRC Market Dominance (Mandiant) ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks (Lumen) New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators (Hacker News) RansomHouse Extortion Group Claims AMD as Latest Victim (RestorePrivacy) RansomHouse gang claims to have some stolen AMD data (Register) CISA releases 6 Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency) 2022 CWE Top 25 Most Dangerous Software Weaknesses (CISA) Netwalker ransomware affiliate agrees to plead guilty to hacking charges (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices

Distributed denial-of-service attacks against Lithuania. Dark Crystal RAT described. Iranian steel mill suspends production due to cyberattack. Bumblebee rising. CISA adds to its Known Exploited Vulnerabilities Catalog. Music pirate sites brought down by US and Brazilian authorities. Joe Carrigan looks at Apple’s private access tokens. Mister Security Answer Person John Pescatore drops some sboms. And where do Russian intelligence officers go after they’ve been PNGed? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/123 Selected reading. Lithuania targeted by massive Russian cyberattack over transit blockade (Newsweek) Russia's Killnet hacker group says it attacked Lithuania (Reuters) Killnet, Kaliningrad, and Lithuania’s Transport Standoff With Russia (Flashpoint) Ukraine Targeted by Dark Crystal RAT (DCRat) | FortiGuard Labs (Fortinet Blog) Cyberattack Forces Iran Steel Company to Halt Production (SecurityWeek) Iran’s steel industry halted by cyberattack (Jerusalem Post) Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem (Broadcom Software Blogs) CISA Adds Eight Known Exploited Vulnerabilities to Catalog (CISA) US, Brazil seize 272 websites used to illegally download music (BleepingComputer) Swiss intel service: Watch out for redeployed Russian spies (AP News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Lithuania sustains a major DDoS attack. Lessons from NotPetya. Conti's brand appears to have gone into hiding. Online extortion now tends to skip the ransomware proper. Josh Ray from Accenture on how social engineering is evolving for underground threat actors. Rick Howard looks at Chaos Engineering. US financial institutions conduct a coordinated cybersecurity exercise. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/122 Selected reading. Russia's Killnet hacker group says it attacked Lithuania (Reuters) The hacker group KillNet has published an ultimatum to the Lithuanian authorities (TDPel Media) 5 years after NotPetya: Lessons learned (CSO Online) The cyber security impact of Operation Russia by Anonymous (ComputerWeekly) Conti ransomware finally shuts down data leak, negotiation sites (BleepingComputer) The Conti Enterprise: ransomware gang that published data belonging to 850 companies (Group-IB) Fake copyright infringement emails install LockBit ransomware (BleepingComputer) NCC Group Monthly Threat Pulse – May 2022 (NCC Group) We're now truly in the era of ransomware as pure extortion without the encryption (Register) Wall Street Banks Quietly Test Cyber Defenses at Treasury’s Direction (Bloomberg) Learn more about your ad choices. Visit megaphone.fm/adchoices

Richard Melick, Director of Threat Reporting for Zimperium, talks about his journey, from working in the military to moving up to the big screens. He shares that he's been in the business of solving unique cybersecurity problems for so long that he has found his own path that works very well for him. He says, "if I go to a unique problem and try to solve it, I find that I'm solving it the same way that I would've solved it five years ago, because I found my pattern." Richard reflects on his time working in the industry, from moving away from the military and into different roles over the years. He notes that giving credit where credit is due, to those who deserve it, is how you keep the audience engaged as a storyteller. We thank Richard for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Alan Neville, a Threat Intelligence Analyst from Symantec Broadcom, joins Dave to discuss their research "Lazarus Targets Chemical Sector." Symantec has observed the North Korea-linked threat group known as Lazarus conducting an espionage campaign targeting organizations operating within the chemical sector. The campaign appears to be a continuation of the group's activity called Operation Dream Job, which Symantec first came across in August of 2020. The research states "evidence includes file hashes, file names, and tools that were observed in previous Dream Job campaigns." The research can be found here: Lazarus Targets Chemical Sector Learn more about your ad choices. Visit megaphone.fm/adchoices

Lithuania's NKSC warns of increased DDoS threat. Limited Russian success in the cyber phases of its hybrid war. Another warning of spyware in use against targets in Italy and Kazakhstan. Hey, critical infrastructure operators: CISA’s got tabletop exercises for you. Kevin Magee from Microsoft has advice for recent grads. A look back the year since Colonial Pipeline with Padraic O'Reilly of CyberSaint. And sometimes ransomware is just a spy’s way of saying, “nothing up my sleeve…” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/121 Selected reading. Lithuania warns of rise in DDoS attacks against government sites (BleepingComputer) Defending Ukraine: Early Lessons from the Cyber War (Microsoft) Why think tanks are such juicy targets for cyberspies (The Record by Recorded Future) The war in Ukraine is showing the limits of cyberattacks (Tech Monitor) Spyware vendor targets users in Italy and Kazakhstan (Google Threat Analysis Group) BRONZE STARLIGHT Ransomware Operations Use HUI Loader (SecureWorks) CISA Tabletop Exercises Packages (CTEP) (CISA) CISA Tabletop Exercise Package (CTEP) Workshop (Government Technology) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA and the US Coast Guard Cyber Command are releasing this joint Cybersecurity Advisory to warn network defenders that cyber threat actors, including state-sponsored APT actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations that did not apply available patches or workarounds. AA22-174A Alert, Technical Details, and Mitigations Malware Analysis Report 10382254-1 stix Malware Analysis Report 10382580-1 stix CISA’s Apache Log4j Vulnerability Guidance webpage Joint CSA Mitigating Log4Shell and Other Log4j-Related Vulnerabilities CISA’s database of known vulnerable services on the CISA GitHub page See National Security Agency (NSA) and Australian Signals Directorate (ASD) guidance Block and Defend Web Shell Malware for additional guidance on hardening internet-facing systems. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

Reviewing Russian cyber campaigns in the war against Ukraine, and the complexity of Ukraine's IT Army. ICEFALL advice and reactions. Carole Theriault looks at Hollywood’s relationship with VPNs. Podcast partner Robert M. Lee from Dragos provides a rundown on Pipedream. And CISA updates its Cloud Security Technical Reference Architecture. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/120 Selected reading. [Blog] Defending Ukraine: Early Lessons from the Cyber War (Microsoft On the Issues) [Report] Defending Ukraine: Early Lessons from the Cyber War (Microsoft) Russian cyber spies attack Ukraine's allies, Microsoft says (Reuters) Research questions potentially dangerous implications of Ukraine's IT Army (CyberScoop) The IT Army of Ukraine Structure, Tasking, and Ecosystem (Center for Security Studies) CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report (CISA) Industry Reactions to 'OT:Icefall' Vulnerabilities Found in ICS Products (SecurityWeek) Cloud Security Technical Reference Architecture (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

Fancy Bear sighted in Ukrainian in-boxes. Why Russian cyberattacks against Ukraine have fallen short of expectations. ToddyCat APT is active in European and Asian networks. ICEFALL ICS vulnerabilities described. CISA issues ICS vulnerability advisories. Europol makes nine collars. Andrea Little Limbago from Interos on The global state of data protection and sharing. Rick Howard speaks with Michelangelo Sidagni from NopSec on the Future of Vulnerability Management. We are shocked, shocked, to hear of corruption in the FSB For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/119 Selected reading. Ukrainian cybersecurity officials disclose two new hacking campaigns (CyberScoop) Ukraine Warns of New Malware Campaign Tied to Russian Hackers (Bloomberg Law) Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap malware (BleepingComputer) Opinion How Russia’s vaunted cyber capabilities were frustrated in Ukraine (Washington Post) New Toddycat APT Targets MS Exchange Servers in Europe and Asia (Infosecurity Magazine) Microsoft Exchange servers hacked by new ToddyCat APT gang (BleepingComputer) OT:ICEFALL: 56 Vulnerabilities Caused by Insecure-by-Design Practices in OT (Forescout) From Basecamp to Icefall: Secure by Design OT Makes Little Headway (SecurityWeek) Dozens of vulnerabilities threaten major OT device makers (Cybersecurity Dive) CISA releases 6 Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency) Phishing gang behind several million euros worth of losses busted in Belgium and the Netherlands (Europol) Подполковника УФСБ по Самарской области арестовали за кражу криптовалюты у хакера (TASS) Learn more about your ad choices. Visit megaphone.fm/adchoices

A Cyberattack is suspected of causing false alarms in Israel. Risk surface assessments. Renewed warning of the potential security risks of fitness apps. Cyber options may grow more attractive to Russia as kinetic operations stall. DDoS in St. Petersburg. Ben Yeling details a Senate bill restricting the sale of location data. Our guest is Jon Check from Raytheon's Intelligence and Space Division discussing the National Collegiate Cyber Defense Competition. A conviction in the Capital One hacking case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/118 Selected reading. Suspected cyberattack triggers sirens in Jerusalem, Eilat (Israel Hayom) Suspected Iranian Cyberattack on Israel Triggers Sirens (Haaretz) Iranian cyberattack may be behind false rocket warning sirens in Jerusalem (Jerusalem Post) Israel suspects Iranian cyber-attack behind false siren alerts (Middle East Monitor) Strava fitness app used to spy on Israeli military officials (Computing) Treasury's Adeyemo sees elevated cyber threats in wake of Russia's war in Ukraine (Reuters) More cyber warfare with Russia lies on the horizon (Interesting Engineering) Prolonged war may make Russia more cyber aggressive, US official says (C4ISRNet) What the Russia-Ukraine war means for the future of cyber warfare (The Hill) Complex Russian cyber threat requires we go back to basics (ComputerWeekly.com) Vladimir Putin speech delayed 'because of cyber-attack' as he hits out at 'economic blitzkrieg' against Russia (Scotsman) UPDATE 1-Putin's St Petersburg speech postponed by an hour after cyberattack (Yahoo) Think of the Russia-Ukraine conflict as a microcosm of the cyber war (SC Magazine) The link between cyberattacks and war: Gartner (CRN Australia) Ex-Amazon Worker Convicted in Capital One Hacking (New York Times) Jury Convicts Seattle Woman in Massive Capital One Hack (SecurityWeek) Former Seattle tech worker convicted of wire fraud and computer intrusions (US Attorney’s Office, Western District of Washington) Learn more about your ad choices. Visit megaphone.fm/adchoices

As we break to observe the Juneteenth holiday, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. In this extended interview, Dave Bittner speaks with FBI Cyber Section Chief David Ring at RSAC discussing FBI cyber strategy/role in the cyber ecosystem and private sector engagement. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices

Lauren Van Wazer, Vice President, Global Public Policy and Regulatory Affairs for Akamai Technologies, shares her story as she followed her own North Star and landed where she is today. She describes her career path, highlighting how she went from working at AT&T to being able to work in the White House. She shares how she is a coach and a leader to the team she works with now, saying "my view is I've got their back, if they make a mistake, it's my mistake, and if they do well, they've done well." Lauren hopes she's made an impact in the world by making it a little bit better than before, and discusses how she doesn't let anyone stop her from her goals. Lauren shares her outlook on her experiences, calling attention to different roles in her life that made her journey all the better. We thank Lauren for sharing. Learn more about your ad choices. Visit megaphone.fm/adchoices